When water utilities get hacked, who should they call?

In the wake of a cybersecurity breach at a public water system, lawmakers have begun questioning what rules are in place to govern those facilities' cybersecurity and what changes may be necessary.

Royalty-free stock photo ID: 748502299  Reverse osmosis system for water drinking plant.  N By NavinTar
 

The federal government's leading cybersecurity agency said a potentially lethal breach of a Florida water treatment plant last month was caused by two factors: a desktop sharing application being widely used due to the coronavirus pandemic and an outdated operating system no longer receiving security updates. The close call is now prompting lawmakers to question what entities govern cybersecurity at water utilities and what changes must be made before a future attack succeeds in harming the public.

Cybersecurity regulations for different industries vary because the rules are set by whichever government agency or panel is responsible for that sector. For water treatment facilities like the one in Oldsmar, Fla., the Environmental Protection Agency is responsible.

That designation comes from an Obama-era policy directive that stated the EPA is the sector-specific agency for water and wastewater systems. In the event of a compromise, such as what happened Feb. 5, EPA partners with the FBI and the Cybersecurity and Infrastructure Security Agency to investigate.

EPA is also charged with administering requirements in America's Water Infrastructure Act, according to an agency spokesman. Any plant serving more than 3,300 people has to plan for "malevolent acts" such as a cybersecurity threat and maintain risk assessments as well as emergency response plans. Those efforts are managed by the water security division which assists facilities in "preparing for, identifying, responding to, and recovering from" cybersecurity threats," according to the spokesman.

While the EPA requires that water utilities certify their response plans and risk assessments are completed, the agency does not receive copies of those documents, the spokesman added.

The EPA's 2021 budget request included approximately $7.7 million for assisting local and state water utilities with preparing their infrastructure against both physical and cybersecurity threats. The funding goes toward in-person training workshops, conducting tabletop exercises to improve mutual aid agreements among facilities and "advancing recognition of vulnerabilities and needed responses related to cyber risk management," according to the agency's budget justification documents.

Lawmakers in the latest spending bill funded the EPA's homeland security portfolio, which includes other programs in addition to water systems, slightly higher than the agency's requested amount.

"While much emphasis has been placed on physical and cybersecurity needs, the coronavirus pandemic has highlighted the need to also ensure that a sufficient number of trained personnel are available at all times to operate these critical systems," lawmakers wrote in a report accompanying the spending bill.

But is an agency like the EPA equipped to set the cybersecurity standards for water utilities and is there a viable path for change if not? The answer, cybersecurity experts tell FCW, is not clear cut: a higher level of cyber expertise across the board of the federal government is necessary, but expecting CISA to become a regulatory arbiter or for lawmakers to yield ground on the jurisdiction of cybersecurity appears to be unrealistic.

"Having separate regulators is important because each industry faces unique challenges in cybersecurity," said David Forscey, managing director of the Aspen Cybersecurity Group. "The federal agencies who oversee the nuclear and healthcare sectors employ people who understand those realities and are less likely to write rules that make zero practical sense."

Forscey added that a single cybersecurity regulator is probably not politically viable either. The structure of congressional committees provides dozens of panels with some level of jurisdiction on the issue. Centralizing authority with CISA would also effectively cordon off the issue of cybersecurity for dozens of lawmakers and their committees, something Congress has historically resisted when members previously proposed a select committee on cybersecurity.

Sarah Powazek, an analyst at the Institute for Security and Technology, said it is appropriate that the EPA would manage systems for water facilities given their understanding of the sector. But there is an opening for an agency like CISA to play a larger role in setting standards and best practices.

"Though this would require a significant increase in authority and funding, this role change has support," she said, referring to a panel of cybersecurity experts who made a similar suggestion to House lawmakers in February.

"The 101 federal civilian agencies are simply not in a position to secure themselves all by themselves. And the reason for that is the lack of resources, the lack of personnel and the and the lack of follow through," Chris Krebs, the former director of CISA, told the House Homeland Security Committee.

But if CISA were to take on a bigger role as a regulator, that could jeopardize the relationships it has worked to build outside government, said Matt Hayden, formerly a senior official at DHS and CISA during the Trump administration.

Because CISA approaches companies, agencies and other non-governmental organizations as a partner trying to help, rather than a regulator that will potentially alter policy, CISA is able to have much more candid conversations, Hayden said. "That's where CISA as a partner to existing regulators has such a strong presence," he added.

"There probably needs to be a federal action to provide these municipalities a way out of their legacy environments to provide for better cybersecurity protections and more modern solutions," he added.

At least one lawmaker is already eyeing specific changes.

Sen. Mark Warner (D-Va.), the top lawmaker on the Senate Select Committee on Intelligence, recently sent a letter to the FBI and Environmental Protection Agency asking if the Oldsmar facility was compliant with the 2015 Water and Wastewater Systems Sector-Specific plan and if that plan should be updated.

"This incident has implications beyond the 15,000-person town of Oldsmar," he wrote. "While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar… future compromises of this nature may not be detected in time."

The Water Information Sharing and Analysis Center, which provides advice to the federal government through the water sector coordinating council, did not respond to requests for comment for this story.

Regardless of what Congress or regulatory agencies do in the coming months, Forscey, the Aspen Cybersecurity Group official, argued the "jury is out" on what effect cybersecurity regulations actually have in protecting public utilities.

"You can show with convincing data that federal aviation safety rules have reduced airline disasters," Forscey said. "But you will be hard pressed to find anyone who can prove cybersecurity regulations for finance, healthcare and energy or transportation industries have reduced cyber risk. We just don't have that data."